Librem 14 (PureBoot): how to resolve post Pure OS update error messages: «TOTP: Error PCR mismatch from TPM_Unseal | HOTP: Invalid code» and «Unable to unseal totp secret»

Hi all,

I recently updated my PureOS (nothing unusual, just: sudo apt-get update | sudo apt-get dist-upgrade -->resulting in the installation of a new kernel).

After rebooting and when prompted to sign the boot partition with my PureBoot key (nothing unusual either), I must have (accidentally) confirmed with “Z” instead of “Y”: obviously, following this erroneous command/confirmation the process did not go any further. I must then have done a hard reset in order to make a new attempt to sign the boot partition.

I then received the following (unexpected) error message:

  • «TOTP: Error PCR mismatch from TPM_Unseal | HOTP: Invalid code»

I tried to refresh TOTP/HOTP - to no avail.

I then did an OEM/Re-ownership reset, which seemed to go through smoothly: with the next reboots however, I kept receiving the following error messages:

  • «Unable to unseal totp secret»
    «cat: can’t open ’ /boot/kexec_hotp_counter’ : No such file or directory»
    «Unable to read HOTP counter»
    «HOTP code verification application, version 1.4
    …No working device found
    Could not connect to the device»

Based on guidance received from Mladen / Support Manager, I then checked:

  1. whether sufficient space was available in my /boot directory:

via the command:
sudo df -h

showing that only 12% of my /boot diskspace was in use (= largely sufficient, i.e. this could not be the cause).

  1. the files I currently had in my /boot directory:

via the command:
ls -lah

showing only the usual kernel, grub etc… related files (nothing unexpected either).

Mladen then advised me to update my PureBoot to the latest version (in my case: version 28.1), using the following instructions: PureBoot Getting Started Guide - Purism - Librem products documentation

Although I already had updated to that same version earlier-on, I still proceeded to reupdate my PureBoot to that same version 28.1 (with subsequent prompt to create a new HOTP/TOTP secret) –
and it helped, the error messages were gone!

So, in a nutshell: in case of above mentioned error messages (occurring following a Pure OS update involving a kernel update), it is neither a simple HOTP/TOTP refresh, nor an OEM/Re-ownership reset, but rather a PureBoot update to the latest version (instructions pls. see link above) with subsequent prompt (after reboot) to create a new HOTP/TOTP secret, which proved to be successful.

I use this opportunity to once more thank you, Mladen / support manager, for your helpful advice, and trust the above can be of use for anyone of you out there, who might be confronted with a similar situation.

Kind regards


I had the same problem updating to release 29 (unable to unseal…).
re-flashing the same update a 2nd time worked for me as well!
Glad you posted this!

1 Like